Oxford study warns of the risk of internal cyber-attacks

Share Article

A new Oxford study warns that internal cyber attacks against companies are an increasing threat that cost tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives.

Oxford, Oxfordshire (PRWEB UK)28 August 2014

For immediate release: 28 August 2014

Press release

The Danger From Within

Oxford study warns of the increasing risk of internal cyber-attacks

Saïd Business School, University of Oxford

In a new Harvard Business Review article, Professor David Upton of Saïd Business School, and Professor Sadie Creese of Oxford’s Global Cyber Security Capacity Centre warn that internal cyber attacks against companies, are an increasing threat that costs tens of billions of dollars a year worldwide, can destroy companies, and sink the careers of many senior executives. Their study found that while many organisations are intensifying their defences against external attack, these widely used safeguards are often ineffective against attacks involving insiders. Such attacks from insiders, be they from employees, suppliers, or other companies legitimately connected to a company’s computer system, pose a more pernicious threat than external attacks.

Cyber attacks on corporations are on the increase. The 2013 cyber attack on Target, where Russian thieves compromised point of sale information, left the company with a potential loss of $420 million, and affected 70 million customers, made headline news. What is less well known however is that this attack came through an unwitting vendor who had authorised access to Target’s computers, and as such was an insider in their ecosystem.

Over the past two years Professor Upton and Professor Creese have led an international research project whose goal is to provide a significant step change on insider threat prevention and detection so companies can be better protected. The study found that many managers were ignorant of the threat of insider attacks and the risks it posed from fraud, sabotage, intellectual property theft, and corporate terrorism. The key to reducing their vulnerability, they say, is to adopt the same approach companies applied to improve quality and safety at the end of the last decade. They recommend removing the reliance on the IT team and making it everyone’s responsibility to ensure critical assets are protected, proposing five steps that managers should implement immediately to reduce the risks:

1. Adopt a robust insider policy

Introduce a clear and concise policy to address what people must or must not do to deter insiders who introduce risk through carelessness, negligence or mistakes. The rules must apply to all levels of the organisation and employees should be given tools to help them adhere to the policy (such as on-screen warning messages). The policy should regularly be reinforced with information sessions and internal communications campaigns.

2. Raise awareness

Be open about likely threats so staff can detect them, and customise training to take into account the kinds of attacks they might encounter, such as phishing: phony emails which trick staff into sharing personal details or access codes, or downloading malware when a link is clicked. Encourage employees to report unusual or prohibited technologies or behaviour - such as the use of portable hard drives or asking for confidential data files.

3. Look out for threats when hiring

Adopt screening processes and interview techniques designed to weed out potential threats before they become privileged members of staff. Examples include criminal background checks, looking for misrepresentations on resumes, and techniques that assess a candidate’s moral compass. During the interview process managers should also assess cyber-safety awareness.

4. Employ rigorous subcontracting processes

Organisations must ensure that suppliers or distributors don’t put them at risk or create a back door to their systems. It’s therefore imperative that managers seek out partners and suppliers that have the same risk appetite and culture, and audit them regularly to ensure practices are maintained; if necessary screen their employees for criminal records, check candidates employment histories, and monitor access to its data and applications for unauthorised activity.

5. Monitor employees

The researchers recommend using readily available security software to monitor employee activities, such as accessing websites, yielding important information that will help detect danger. Regular risk assessments will identify the source of any threat, vulnerable employees and networks, and the possible consequences if a risk becomes a reality.

‘We have burglar alarms installed to prevent people breaking into our houses,’ said Professor Upton. ‘But it’s the people we let through the door that are the problem. It’s the same for organisations. The principles used to defend against external threats just don’t work with insiders. In recent years businesses have been letting more people into their houses – be it through the use of cloud services, Google drives, employees bringing their own devices to work, or through the proliferation of social media and use of big data. Though these people may have a legitimate access to an organisation’s cyber-assets, the scope for them to exploit this or be exploited is hugely increased.’
‘We found wide-scale global ignorance of the nature of the threat organisations face from internal attack, leaving corporate assets vulnerable, jobs and bonuses insecure, and reputations at risk,’ said Professor Creese. ‘We are now expanding the initial survey of 35 companies to 5,000 which will enable us to develop models to detect threats more accurately, faster and earlier than current solutions, and to help us develop education and awareness materials to help transfer knowledge and management skills to stakeholders.’

Sponsored by the Centre for the Protection of National Infrastructure (CPNI), the study was conducted by an interdisciplinary 16-member team combining computer security specialists, management academics, scientific visualisation experts, psychologists and criminologists. The team included six professors and five researchers across three universities (Oxford, the University of Leicester, and Cardiff University).

Saïd Business School at the University of Oxford blends the best of new and old. We are a vibrant and innovative business school, but yet deeply embedded in an 800 year old world-class university. We create programmes and ideas that have global impact. We educate people for successful business careers, and as a community seek to tackle world-scale problems. We deliver cutting-edge programmes and ground-breaking research that transform individuals, organisations, business practice, and society. We seek to be a world-class business school community, embedded in a world-class University, tackling world-scale problems.

In the Financial Times European Business School ranking (Dec 2013) Saïd is ranked 12th. It is ranked 14th worldwide in the FT’s combined ranking of Executive Education programmes (May 2014) and 23rd in the world in the FT ranking of MBA programmes (Jan 2014). The MBA is ranked 5th in Businessweek’s full time MBA ranking outside the USA (Nov 2012) and is ranked 5th among the top non-US Business Schools by Forbes magazine (Sep 2013). The Executive MBA is ranked 23rd worldwide in the FT’s ranking of EMBAs (Oct 2013). The Oxford MSc in Financial Economics is ranked 7th in the world in the FT ranking of Masters in Finance programmes (Jun 2014). In the UK university league tables it is ranked first of all UK universities for undergraduate business and management in The Guardian (Jun 2013) and has ranked first in nine of the last ten years in The Times (Sept 2013). For more information, see http://www.sbs.ox.ac.uk/